The Prophet Spider threat actor is running multiple campaigns in which attackers exploit Oracle WebLogic server flaws to access target environments then pass on their access to attackers who deploy ransomware.
Prophet Spider, which CrowdStrike researchers say has been active since at least May 2017, is adept in exploiting and operating in Windows and Linux environments. It usually breaches victims by compromising vulnerable Web servers, and typically gains initial access by exploiting public-facing applications.
Researchers noticed a recent trend in which Prophet Spider uses CVE-2020-14882 and CVE-2020-14750 to get a foothold into target environments. Both CVEs relate to path traversal vulnerabilities that enable an attacker to access the WebLogic administrative console, which then allows for unauthenticated remote code execution.
CrowdStrike notes "both vulnerabilities are essentially the same." The patch for CVE-2020-14882 was released in October 2020 but was bypassed soon after; the patch for CVE-2020-14750 fixed the problem "in a more comprehensive manner," they write in a blog post.
Prophet Spider has also been seen using older Oracle CVEs such as CVE-2016-0545, as well as gaining initial access via SQL injection. Researchers have not observed the group using phishing, brute forcing, malvertising, or drive-by downloads to gain initial access.
Researchers report at least two cases in which Prophet Spider infections have led to ransomware deployment, likely from different attack groups. The most likely explanation for the observed activity, they say, is Prophet Spider functioned as an access broker and likely granted access to Egregor and MountLocker ransomware operators in exchange for payment.
Read the full blog post for more details.